Troubleshooting issues with domains connected to Shopify

Notification: Your domain's A record doesn't point to Shopify. Open your domain provider's DNS settings for example.com and assign 23.227.38.65 to its A record.

The A record is responsible for pointing your domain to Shopify. If your A record isn't configured correctly, then you'll experience connectivity issues.

Steps:

1. Visit your domain provider's DNS settings.
2. Verify that your A record points to the IP address recommended by the banner on Settings > Domains in your Shopify admin.
3. If you need to update the A record, then assign 23.227.38.65 to the A record field.

Notification: Your domain has too many A records. Having multiple A records might cause connection issues. To follow best practices, open your domain provider's DNS settings for example.com and assign 23.227.38.65 to its A record.

When multiple A records are provided, one is selected at random by the browser each time your domain is visited. If you have multiple A records, then some visitors might arrive at your store and others might be routed elsewhere.

Steps:

1. Visit your domain provider's DNS settings.

2. Remove any additional A records.

3. Verify that only one A record exists pointing to 23.227.38.65.

Notification: Your domain's CNAME record doesn't point to Shopify. Open your domain provider's DNS settings for example.com and assign shops.myshopify.com. to its CNAME record.

The CNAME record is responsible for handling any subdomains that need to point to Shopify for correct routing.

Steps:

1. Visit your domain provider's DNS settings.
2. Verify that your CNAME record points to shops.myshopify.com.
3. If you need to update the CNAME record, then assign shops.myshopify.com. to the CNAME field.

Notification: Your domain has no CNAME record. Open your domain provider's DNS settings for example.com and assign shops.myshopify.com. to its CNAME record.

The CNAME record ensures that any subdomains of your domain map correctly to your Shopify store.

Steps:

1. Visit your domain provider's DNS settings.
2. Add a CNAME record.
3. Assign shops.myshopify.com. to the CNAME field.

Notification: Your domain is using a Cloudflare Proxy, which Shopify does not support. If you're unsure about this, then contact Shopify Support for assistance.

This issue occurs when traffic to your domain passes through Cloudflare before reaching Shopify. There are two common configurations that cause this:

• Cloudflare DNS proxy (orange cloud): When the proxy toggle is enabled in your Cloudflare DNS settings, DNS lookups return Cloudflare IP addresses instead of the actual origin server IPs. Traffic is routed through Cloudflare's network before reaching Shopify.
• Orange-to-Orange (O2O): O2O is a Cloudflare configuration where a merchant's own Cloudflare zone sits in front of Shopify's Cloudflare zone. This creates a layered proxy setup where traffic passes through two Cloudflare zones.

Both configurations can cause the following issues:

• SSL certificate provisioning failures: Shopify needs to verify domain ownership through HTTP challenges (ACME) to issue SSL certificates. A Cloudflare proxy can block or interfere with these challenges, which delays or prevents certificate issuance and renewal.
• Loss of resiliency: Shopify uses multiple providers to ensure reliable operation of our services. Any additional proxies put in place in front of Shopify are likely to interfere with our ability to react to provider issues, which makes your store more vulnerable to outages. In some cases this may make your store slower or even unavailable for extended periods of time.
• Reduced bot detection accuracy: Shopify's bot detection relies on seeing the original request from the visitor. When traffic passes through a Cloudflare proxy, request attributes are altered before reaching Shopify, which reduces the effectiveness of bot detection and can increase unwanted bot traffic to your store.
• Unsupported configuration: Cloudflare proxy setups, including O2O, aren't supported by Shopify. Although your store might appear to function correctly, this setup could break at any time because of changes on either the Cloudflare or Shopify side. Any issues that arise from using a Cloudflare proxy in front of your Shopify store are outside the scope of Shopify Support.

If you haven't configured Cloudflare or other proxies, then it's possible that they were set up by your DNS provider by default.

Steps:

1. Contact your third party domain host for support to review proxy settings.
2. If there's no proxy setup on your domain, then contact Shopify Support for further guidance.
3. If your Cloudflare DNS displays "DNS only" in the settings, then the error might resolve itself within 24 hours.
4. If you're still experiencing the issue after 24 hours, then contact Cloudflare's support team.

Shopify doesn't support the setup of services such as Cloudflare DNS and Orange-to-Orange (O2O).

Notification: Your domain doesn't permit Google, Let's Encrypt and SSL.com to provision SSL certificates. Open your domain provider's DNS settings for example.com and add a CAA record for letsencrypt.org, pki.goog and ssl.com.

Your CAA settings must grant access to the certificate authorities that Shopify uses to issue SSL certificates.

Steps:

1. Visit your domain provider's DNS settings.
2. Add CAA records for the following certificate authorities:
   • Let's Encrypt (letsencrypt.org)
   • Google (pki.goog)
   • SSL.com (ssl.com)
3. Verify that these CAA records are in your existing CAA record list to allow Shopify to provision a free SSL certificate for your domain.

Notification: Your domain's CAA record blocks SSL certificate provisioning. Open your domain provider's DNS settings for example.com and check that there's one CAA record each for letsencrypt.org, pki.goog and ssl.com. Make sure your CAA records don't contain semicolons (";"). Alternatively, delete your CAA records.

A semicolon in your CAA record signifies that no certificate authority is allowed to provision SSL certificates for this domain.

Steps:

1. Visit your domain provider's DNS settings.

2. Review your CAA records and remove any semicolons (";").

3. Alternatively, remove the CAA record completely.

4. If you're keeping CAA records, then verify that they allow the following certifications:

   • Let's Encrypt (letsencrypt.org)
   • Google (pki.goog)
   • SSL.com (ssl.com)

Notification: Your domain's AAAA record doesn't point to Shopify. Open your domain provider's DNS settings for example.com and assign 2620:0127:f00f:5:: to its AAAA record.

The AAAA record is responsible for pointing your domain to Shopify on the IPv6 network. If the AAAA record isn't configured correctly, then some users will experience connectivity issues.

Steps:

1. Visit your domain provider's DNS settings.
2. Update your AAAA record to point to 2620:0127:f00f:5::.
3. If your third-party domain host doesn't accept the condensed IPv6 address, then use the expanded version: 2620:0127:f00f:0005:0000:0000:0000:0000.

Notification: Your domain has too many AAAA records. Having multiple AAAA records might cause connection issues. To follow current best practices, open your domain provider's DNS settings for example.com and assign 2620:0127:f00f:5:: to its AAAA record.

When multiple AAAA records are provided, one is selected at random by the browser each time your domain is visited. If you have multiple AAAA records, then some visitors might arrive at your store and others might be routed elsewhere.

Steps:

1. Visit your domain provider's DNS settings.

2. Remove any additional AAAA records.

3. Verify that only one AAAA record exists pointing to 2620:0127:f00f:5::.

Notification: A DNSSEC misconfiguration is blocking access to your DNS records.

When you connect a third-party domain to Shopify, the connection flow checks whether DNSSEC is active on your domain. If DNSSEC is detected, then the domain isn't considered fully connected even if all other DNS records are correctly configured. The connection flow displays a Disable DNSSEC step in the DNS configuration instructions and shows a warning banner until DNSSEC is disabled.

Steps:

1. Log in to your third-party domain provider's dashboard.
2. Find the DNSSEC setting. Depending on your provider, this might be under DNS, Advanced DNS, Domain Security, or Domain Settings.
3. Turn off or disable DNSSEC for your domain.
4. Save your changes. The update can take up to 48 hours to propagate.
5. Return to Settings > Domains in your Shopify admin. The DNSSEC warning should disappear and the domain should connect once all other DNS records are correct.

Notification: Your domain has an unsupported DNSSEC record. Shopify doesn't support DNSSEC at this time. Contact support to have it removed.

If your domain is transferred to Shopify from another provider with DNSSEC already activated, then this configuration transfers over with your domain. DNSSEC is currently unsupported by Shopify and prevents your domain from resolving.

Steps:

Contact Shopify Support so that they can assist in removing unsupported DNSSEC records.

Notification: Your domain nameservers returned an unexpected value. Nameserver issues can make your site unreachable by customers. Contact support for more information.

Your domain is returning nameserver values that are different from what is configured in your Shopify admin. This can occur when a domain has a hold on it and requires attention.

For EU domains (.DE, .IT, .EU, .BE, .NL): If you have an EU domain extension, then this issue may be caused by a pending registry verification. Check your email for verification requests and refer to Verifying your EU domain registration information for guidance.

Steps:

Contact Shopify Support for help resolving nameserver configuration issues.

Notification: Error fetching domain {record_type} record. Open your domain provider's DNS settings for example.com and check that the record is set correctly.

This notification is the result of either no record being set up, a misconfiguration blocking DNS resolution, or a temporary DNS connection issue.

Steps:

1. Verify your DNS settings with your domain provider.

2. If there are no issues with your DNS configuration, then wait up to 48 hours for DNS updates to propagate.

3. If the issue persists after 48 hours, then contact Shopify Support.

Notification: Your domain has a wildcard record pointing to Shopify. Having a wildcard record (*.example.com) pointed to Shopify can interfere with your site and isn't supported. Open your domain provider's DNS settings for example.com and remove the wildcard record.

We don't recommend pointing a wildcard record to Shopify as it might cause unexpected behavior.

Steps:

1. Visit your domain provider's DNS settings.

2. Remove the wildcard record (*.example.com).

3. Set your records for all specific subdomains instead of using wildcard records.

Symptom: Your domain displays SSL pending or TLS pending in your Shopify admin.

After you connect a domain to Shopify, it can take up to 48 hours for the TLS certificate to be issued. During that time, a TLS or SSL pending status displays in your Shopify admin.

Steps:

1. Wait 48 hours for DNS propagation and certificate provisioning.
2. Verify that your A record is 23.227.38.65, your AAAA record is 2620:0127:f00f:5::, and your CNAME record is shops.myshopify.com.
3. If you use CAA records, then verify that you have added all the required certification authorities.
4. If you have DNSSEC activated for your domain, then deactivate it.
5. If the status is still pending after 48 hours, then contact Shopify Support.

Learn more about enabling secure connections to your Shopify store.

Symptom: Your domain displays SSL unavailable or customers see a Your connection is unsecure message when visiting your store.

This error occurs when Shopify can't provision an SSL certificate for your domain. Common causes include incorrect DNS records, CAA records blocking certificate authorities, or DNSSEC being activated.

Steps:

1. Verify that your A record is 23.227.38.65.
2. Verify that your AAAA record is 2620:0127:f00f:5::.
3. Verify that your CNAME record is shops.myshopify.com.
4. If you use CAA records, then verify that you have added letsencrypt.org, pki.goog, and ssl.com.
5. If you have DNSSEC activated for your domain, then deactivate it through your domain provider.
6. If you're using Android 7.0 or lower, then upgrade your device.
7. If you're using a browser version from before 2010, then update your browser to the latest version.
8. If the issue persists after verifying all settings, then contact Shopify Support.

Learn more about troubleshooting security errors for your third-party domain.

DNS changes can take up to 48 hours to propagate globally. During this time, your domain might intermittently display errors or be unreachable for some visitors. Avoid making additional DNS changes during the propagation period, as this can reset the timer and cause further delays.

SSL certificates require correct DNS configuration to be provisioned. If your SSL certificate isn't working, then verify the following requirements:

• Your A record points to 23.227.38.65
• Your AAAA record points to 2620:0127:f00f:5::
• Your CNAME record points to shops.myshopify.com.
• DNSSEC is deactivated
• If you have CAA records, then they include letsencrypt.org, pki.goog, and ssl.com

Learn more about enabling secure connections to your Shopify store.

Shopify Support can provide guidance on what DNS settings are needed, but doesn't have access to your third-party domain provider's settings. If you need help making changes to your DNS records, then contact your domain provider directly. Your domain provider can help you locate and modify your DNS settings.

Learn more about connecting a third-party domain to Shopify.

DNSSEC (Domain Name System Security Extensions) is a security feature that adds authentication to DNS responses. While DNSSEC provides additional security, it's not currently supported by Shopify and can prevent your domain from resolving correctly or cause SSL certificate issues.

When you connect a third-party domain, Shopify detects whether DNSSEC is active and displays a warning in the connection flow. Even if all of your DNS records are correctly configured, the domain isn't considered fully connected until DNSSEC is deactivated.

If you have a third-party domain with DNSSEC activated, then contact your domain provider to deactivate it. If you have a Shopify-managed domain with DNSSEC from a previous provider, then contact Shopify Support for assistance.

When multiple A records or AAAA records exist for a domain, browsers randomly select one to use. If you have multiple records and only one points to Shopify, then some visitors will reach your store while others might be routed to a different website or receive connection errors. To ensure consistent connectivity, you should have only one A record and only one AAAA record, both pointing to Shopify.

EU domain extensions (such as .DE, .IT, .EU, .BE, .NL) may require identity verification to comply with NIS2 regulations. If your domain displays an Action Required badge, then check your email for a verification request and follow the instructions to complete the verification process.

Learn more about verifying your EU domain registration information.